Identity Governance
Thesis
Central IAM systems are only really value adding if helping to automate the lifecycle process of Identities. To do that the IAM system needs a feeding source of peoples involved in the organization, which more often than not is best suited at a HR system.
However the complexity of HR data is nearly always the elephant in the room of implementing IAM systems. for a much better and deeper insight in this subject, read the LinkedIn article here https://www.linkedin.com/posts/mikael-b%C3%A6k-jensen-2467ab6_for-any-one-out-there-who-has-ever-encountered-activity-6773355067434168320-wNxe. I will only cover this briefly and then add even more complexity on top.
HR System states
The thing in regards to HR data is that it is never constant. Of course there are changes to the actual data of individuals, but the master data changes all the time. Especially organizational changes is a challenge as IAM birthrights nearly always is defendant on the HR data like department, company, site location, title/function, manager/not manager flag and more.
All these bits and pieces are natural starting points for adding automatically assigned roles and entitlements, however when the master data changes, the affiliation to these bits and pieces can be broken, and the associated roles and entitlements are immediately removed. Typically this is department shares, mail list, access to specific buildings, VPN and so on.
The above is true for any HR system, and is a risk and continuously issue in the entire lifespan of the IAM platform.
Adding even more complexity and risks
So I promised to add even more complexity and only add to the frustration of implementing and operating an IAM solution. Not that authoritative feeding sources are not complex enough and lets face it: It is the top troublemaker in regards to stability, as the IAM system will be the main culprit in the eyes of the business, every time someone looses roles and accesses - regardless who the actual culprit - and the IAM system will be marked as unstable and a risk.
Multiple HR systems
Having one central HR system is the desired goal for most organizations. However for large multinational corporations with employees in nearly all countries on the planet, you face local laws, legislations like EU GDPR, US mandatory registration of race, disabilities or not, gender, age and so on, and yet again there can be other mandatory data in some Asian nations. Some of these conflicts, like the EU GDPR in regards to race and disabilities, and add to the fact that both United States and EU forbids these data to be transferred across the borders, so the only real alternative is often to have multiple regional HR systems.
As if one HR system was not bad enough, then imagine having several - and each of them can change uncoordinated. A nightmare, yes?
Master data
Many organizations has master data modelling and storage tools, centralizing master and meta data, hence such system is the actual authoritative source for all that data, which is consumed by the HR systems and maybe or maybe not, is implemented there as well. However when master data changes, is the HR system - or systems - then also changing? And are they changing in time? Not always. In fact I will claim that HR systems rarely integrate to master data authoritative sources, and for the HR system to deliver what the HR system is meant to do, it is not a high priority to be in sync instantly.
The impossible mission
To stay compliant, synchronized and stable in above environment, or in any organization of a relative size, is very quickly becoming mission impossible. There is very slim chance you will be able to operate and maintain your IAM solution, in a suitable and acceptable manner for the business. On top of that, the IAM system will become the business blocker for implementing new systems and solutions, as any changes to the IAM system, will be massive and complex projects, that will eat resources, money and time.
What is the alternative?
The good news is that there IS a solution - and it is basically stolen/borrowed from the financial world; Auditing and controlling.
In finance and bookkeeping, there is not only one way of crediting, debiting and controlling. On top of that Tax, VAT and national legislation can be vastly different, making it impossible to implement one process and data syntax for everything. Instead the data is collected raw and certain rules are applied to the data, and only the data which deviates from the applied ruleset, is then looked at further. Then you applies local rules and processes to the deviations - at the departments which owns the deviations - and gradually you are getting in control and is ensuring compliance.
This has been adopted in the world of IAM and is called Identity Governance utilizing Identity Analytics.
What is it?
Identity Governance goes further than the traditional Identity Management and is a sub-discipline under Identity and Access Management.
Identity governance is the policy-based centralized orchestration of user identity management and access control
…
Identity governance products differ from identity and access management systems by enabling organizations to define, enforce, review and audit IAM policy, but also map IAM functions to compliance requirements and in turn audit user access to support compliance reporting.
Source: What is identity governance? - Definition from WhatIs.com (techtarget.com)
Identity Analytics is basically a data warehouse discipline.
All data from authoritative sources, downstream systems and the IAM system, is imported raw. Then some transformation and correlation is done in order to create identities and link endpoint accounts to these. From that point, the massive amount of data serves as a storage of the actual state across the entire organization. Not all endpoint accounts and data can be linked to Identities and the IDA platform does only that: provides the entire data foundation.
You can now apply custom filters, rules, joins, correlations and searches, which you can use to test or validate policies, to see how much deviates from those policies. With your Identity Governance engine you can now start review processes and certification campaigns on those things that deviates, and can automate these review and certifications campaigns. Slowly you can work with the data to transform and streamline and gradually automate more and more, as the number of deviations drops. In this exact tool you can automate review, certification and notification processes if HR data and/or master data suddenly deviates from desired state, and can react proactively and prevent unwanted deprovisioning or massive impacts on the IAM system or downstream systems a like.
Conclusion
By utilizing modern data warehouse technology and Identity Governance you can very quickly implement an IAM solution that will get you in control, and which will ensure you delivering value from day one. The solution is furthermore by nature, resilient to any changes on any connected systems, as instead of enforcing by default, it notifies and/or starts processes for anything that deviates.
It is therefor highly recommended to take the “governance first” approach rather than the IDM and automation first.